Institute of Measurement and Control. Functional Safety 2016
Page 4
Complying with IEC 61508 is a major undertaking for vendors of products, particularly for complex
PES logic solvers with many components, diverse hardware modules and software developed using
fully variable languages. Meeting and maintaining compliance with IEC 61508 is an ongoing challenge
for the life of the product and generally requires working very closely with the independent third party
assessor for the life of the product.
The good news for systems integrators and users is that the functionality introduced to meet the
requirements of a specific systematic capability level pay dividends later on when using product as
part of a safety integrated system during the realisation and operation phases of the safety lifecycle.
Certification and Systematic Capability
When implementing a Safety Instrumented System it is common to make use of devices which are
independently third party assessed and certified to show that they meet the requirements of IEC
61508. However neither IEC 61508 nor IEC61511 actually make mention of certification for either
product or people.
The adoption of certification has proved a useful, arguably necessary expedient for both
manufacturers and end users but it is important to understand the limits of certification and not
misinterpret and therefore be misled by the information that appears on certificates and associated
reports.
Certificates have traditionally indicated a SIL capability but this terminology isn’t defined within either
IEC 61511 or IEC 61508 so the term systematic capability, which refers to a SIF element rather than
the SIF itself, is encouraged as a way to more clearly convey what the certification covers.
First and foremost a certificate generally states that the device in question was developed in
accordance with IEC61508 and therefore that its systematic safety Integrity is of a sufficiently high
level to support its use in a SIF of up to the stated SIL level if implemented in accordance with the
safety manual.
Where applicable the certificate may also give some indication of what degree of hardware fault
tolerance might be required to meet a certain SIL level. This is helpful for assessing architectural
constraints. The certificate (or associated) report will also contain failure rate data to allow the
calculation of the overall PFDavg for the SIF.
Determining if a Safety Instrumented Function meets a particular SIL from a hardware integrity
standpoint requires an assessment of all the components used and of the SIF architecture. So even
though a device may carry a certificate that says it ‘meets’ SIL2 and has SC 2 this does not
automatically mean that a SIF containing nothing less than SIL2 & SC2 certified equipment can
achieve SIL2. This will also depend on the underlying safety data (failure rates, proof test interval,
probability of failure on demand etc) for the components and also the application.
So don’t forget to always read the report to the certificate and take note of the safety manual. If in
doubt seek clarification from the product manufacturer.
IEC 61511 E2.0 Device Selection
Para 11.5.2.1 of IEC 61511-1:2016 states
“Devices selected for use as part of a SIS for with a specified SIL 1 to SIL 3 applications shall either
be in accordance with IEC 61508-2:2010 and IEC 61508-3:2010, as appropriate, or else they shall be
in accordance with 11.4 and/or 11.5.3 through 11.5.6, as appropriate.“
So, in short, devices should meet the requirements of IEC 61508 or they should go down the route of
“Prior Use” as defined by IEC 61511-1:2010 to help demonstrate systematic capability.